SEC_ERROR_BAD_SIGNATURE on private CA certificates

Was there a recent change that invalidates private certificates, with it's private CA imported into my FF CA repository?

What I have set up, which worked not too long ago, which was defining the IP address and host name in C:\Windows\System32\drivers\etc\hosts file. Then importing the remote site's private CA certificate in FF. From that point on, it trusted my private URLs due to matching private CA. Now, generates SEC_ERROR_BAD_SIGNATURE.

I renamed the cert8.db file and restarted FF. I now get the normal "untrusted" error then re-imported the private CA to make the "untrusted" error go away. However, that still gave me SEC_ERROR_BAD_SIGNATURE. So, something must've changed.

I even tried disabling OCSP checking (thought it was optional if it couldn't check). I then disabled OCSP Stapling. Neither resolved this issue, thinking it was trying to check with the OCSP server, which it can't reach due to firewall since it's internal to the other private LAN.

I'm not sure where to look. I tried Googling for answers, which lead me to the above two solutions to try.

The CA I have is a private CA, generated by Microsoft Windows Server 2008 R2 with the Active Directory Certificate Authority installation. Like I said, it was working in FF fairly recently. Let me know what else you need for me to provide.

Regards,

John Babbitt
Systems Administrator
Cutler Investment Group, LLC

Was there a recent change that invalidates private certificates, with it's private CA imported into my FF CA repository?
What I have set up, which worked not too long ago, which was defining the IP address and host name in C:\Windows\System32\drivers\etc\hosts file. Then importing the remote site's private CA certificate in FF. From that point on, it trusted my private URLs due to matching private CA. Now, generates SEC_ERROR_BAD_SIGNATURE.
I renamed the cert8.db file and restarted FF. I now get the normal "untrusted" error then re-imported the private CA to make the "untrusted" error go away. However, that still gave me SEC_ERROR_BAD_SIGNATURE. So, something must've changed.
I even tried disabling OCSP checking (thought it was optional if it couldn't check). I then disabled OCSP Stapling. Neither resolved this issue, thinking it was trying to check with the OCSP server, which it can't reach due to firewall since it's internal to the other private LAN.
I'm not sure where to look. I tried Googling for answers, which lead me to the above two solutions to try.
The CA I have is a private CA, generated by Microsoft Windows Server 2008 R2 with the Active Directory Certificate Authority installation. Like I said, it was working in FF fairly recently. Let me know what else you need for me to provide.
Regards,
John Babbitt
Systems Administrator
Cutler Investment Group, LLC

Chosen solution

Actually, I did say I did that in the very first post. Anyways, just figured out the problem!

I knew it was related to the CA certificate. Sigh. OK, so there were two CA certificates with the same name and I only loaded one. One was SHA-1, the other one was SHA-256. I had the SHA-256 but not the SHA-1. The private URL I was trying to access was made with the SHA-1 and has yet to move over to the new SHA-256. Added the SHA-1 certificate resolved my issue. Mismatched certificate was the reason. I think this error needs to be more specific than just "bad signature". Hope this helps other people!

Unfortunately, those are what I also found and tried them all. The thing is, if I take out the private CA certificate, go to the URL, add it to the exception, it works fine. Just not when I add in the private CA certificate. So, it is directly related to the CA certificate. What changed now that it is no longer trusting my private CA certificate? I see this:

"The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

What is it trying to verify? I disabled OCSP checking. Is it still trying to look up OCSP? It will fail because the OCSP site is unreachable from my workstation.

Like I said, I disabled OCSP Checking and OCSP Stapling but still get the same result.

Unfortunately, those are what I also found and tried them all. The thing is, if I take out the private CA certificate, go to the URL, add it to the exception, it works fine. Just not when I add in the private CA certificate. So, it is directly related to the CA certificate. What changed now that it is no longer trusting my private CA certificate? I see this:
"An error occurred during a connection to <private URL>. Peer’s certificate has an invalid signature. Error code: SEC_ERROR_BAD_SIGNATURE"
"The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."
What is it trying to verify? I disabled OCSP checking. Is it still trying to look up OCSP? It will fail because the OCSP site is unreachable from my workstation.
Like I said, I disabled OCSP Checking and OCSP Stapling but still get the same result.

You may have corrupt cert8.db file.
cert8.db stores all your security certificate settings

Type about:support<enter> in the address bar.

Under the page logo on the left side, you will see
Application Basics. Under this find Profile Folder.
To its right press the button Show Folder. This will
open your file browser to the current
Firefox profile. Now Close Firefox.

Locate the above file. Then rename or delete it.
Restart Firefox.

I called for more help.
You may have corrupt '''cert8.db''' file.
'''cert8.db''' stores all your security certificate settings
Type '''about:support'''<enter> in the address bar.
Under the page logo on the left side, you will see
'''Application Basics. ''' Under this find '''Profile Folder. '''
To its right press the button '''Show Folder. ''' This will
open your file browser to the current
Firefox profile. Now '''Close Firefox. '''
Locate the above file. Then rename or delete it.
Restart Firefox.

Chosen Solution

Actually, I did say I did that in the very first post. Anyways, just figured out the problem!

I knew it was related to the CA certificate. Sigh. OK, so there were two CA certificates with the same name and I only loaded one. One was SHA-1, the other one was SHA-256. I had the SHA-256 but not the SHA-1. The private URL I was trying to access was made with the SHA-1 and has yet to move over to the new SHA-256. Added the SHA-1 certificate resolved my issue. Mismatched certificate was the reason. I think this error needs to be more specific than just "bad signature". Hope this helps other people!

Actually, I did say I did that in the very first post. Anyways, just figured out the problem!
I knew it was related to the CA certificate. Sigh. OK, so there were two CA certificates with the same name and I only loaded one. One was SHA-1, the other one was SHA-256. I had the SHA-256 but not the SHA-1. The private URL I was trying to access was made with the SHA-1 and has yet to move over to the new SHA-256. Added the SHA-1 certificate resolved my issue. Mismatched certificate was the reason. I think this error needs to be more specific than just "bad signature". Hope this helps other people!